AI Act’s proposals and counterproposals, Cyber Resilience Act’s path set

Welcome to Euractiv’s Tech Brief, your weekly update on all things digital in the EU. You can subscribe to the newsletter here. 

“‘Foundation model means an AI model trained on a large amount of data and capable to perform a wide range of distinctive tasks.”

-European Parliament’s co-rapporteur definition of the foundation model

Story of the week: Another intense week in the negotiations of the AI Act, with a series of compromises and non-papers floating around on some of the most sensitive parts of the text. On foundation models, the Spanish EU Council presidency put for the first time black-on-white the dispositions based on the tiered approach, which includes strong cross-references to the Copyright Directive and safeguards for rightsholders. Later in the week, the co-rapporteurs reacted by putting forth a first set of criteria for classifying foundation models as ‘high-impact’. The leading MEPs also introduced some additional notions of systemic risks, proposed moving the copyright dispositions in an article dedicated to generative AI and pushed to maintain their text on responsibilities across the value chain.

Things also started moving on to the other sensitive chapter: law enforcement. For the first time, an internal document of the EU Parliament considered dropping the total ban on real-time Remote Biometric Identification in exchange for some other bans, such as biometric categorisation and emotion recognition. The question is if it will be enough for left-to-centre lawmakers, while Brando Benifei told Euractiv this is just one of the options and more proposals will follow. The Spanish presidency also circulated a first version of dispositions related to governance that include the establishment of a scientific panel. However, a key question still open is whether the red-teaming will be done by the providers themselves or externals.

Don’t miss: A political agreement on the Cyber Resilience Act at the end of November is even more likely following a constructive trilogue on Wednesday, an EU official told Euractiv. The policymakers nailed down the dispositions on the support period, with the Parliament introducing some proportionality elements and defending the five-year minimum. The only ‘red lines’ remain about the reporting obligations, with a possible solution being to give this task to the national CSIRTs with the strong involvement of ENISA, the EU’s cybersecurity agency. One sensitive question remains: who should be the first receiver of the reporting? The Commission is proposing both – a solution that might help to find a political solution but does not make sense as it multiplies the risk of exposing this sensitive information. On critical products, the Council obtained the introduction of the filtering conditions, but co-legislators are still to show their hands on the priorities for the list of product categories. Read more.

Also this week: 

• The OECD officially updated its AI definition ‘to inform the EU’s AI Act’.
• An influential legal opinion asked the EU court to re-assess the Irish case on Apple’s tax regime.
• Frontex is breaching EU data protection law, according to the European Data Protection Supervisor.
• Google and big telcos are pushing for the Commission to designate iMessage under the Digital Markets Act.
• EU policymakers closed the Political Advertising Regulation and European Digital Identity Framework.
• The Spanish presidency removed the tacit approval principle from the Gigabit Infrastructure Act.

Before we start: If you’re looking for even more tech analysis, tune in to our weekly podcast.

Today’s edition is powered by Uber 

A message from Uber: Never stop moving forward

We’re working across Europe to be better partners to drivers and couriers, better residents of the EU, and better citizens of our planet. Join us on our journey to keep moving Europe forward: Uber.com/Europe.

Find out more

Artificial Intelligence

OECD’s new definition. The OECD’s Council adopted on Wednesday the new definition of Artificial Intelligence set to be incorporated in the EU’s new AI rulebook. The change is meant to reflect the past years of market and technological developments and make the definition ‘future-proof’. The reference to ‘human-defined’ objectives was removed to cover better AI systems powered with machine-learning techniques, whilst the type of output now explicitly refers to content like images and text as the ones created by generative AI. However, while EU policymakers received the new text in October, the definition is still to be formally agreed upon in the AI Act’s negotiations. Read more.

German AI action plan. Germany wants to boost the development of AI at national and European levels, according to a new AI action plan presented by the Federal Ministry of Education and Research on Tuesday, which aims to push the EU to match the already dominant US and China. The ministry outlined 12 areas for action, including strengthening the entire AI value chain at the national and EU levels, focusing on connecting the dots with education, science and research and has pledged a €1.6 billion investment in AI over the current government’s term. Specifically, it will promote 50 ongoing measures focused on research, skills, and infrastructure development and complement them with 20 additional AI initiatives. Read more.

Keep calm, and don’t overreact. Spain’s AI and Digitalisation Minister Carme Artigas told Sifted last Monday that “nobody should overreact” against the AI Act; rather, founders should remain “very calm” about the legislation. “We haven’t improvised [the rules] six months ago. We’ve been thinking about this for three years. I can assure you that there’s no dimension we have not considered”, she said. As far as foundation models go, that is a rather bold statement.

AI key terms. Sixty-five key AI terms essential to understanding risk-based approaches, as well as interpretations and definitions, were published last Friday as part of the Fourth EU-US Trade and Technology Council held in May 2023. Since the meeting in May, the groups also mapped the involvement of the EU and US in standardisation activities to identify standards of mutual interest related to AI.

G7 competition focus on AI. G7 competition authorities and policymakers met in Tokyo on Wednesday for the G7 Competition Authorities and Policymakers’ Summit. At the summit, competition authorities, together with politicians, adopted a declaration on competition in the digital sector, with an emphasis on AI. “We see that competition authorities around the world are being equipped with new instruments that are intended to inspire and ultimately complement each other in the best possible way. In doing so, we can increasingly build on successful enforcement practice,” said Andreas Mundt, president of the German Federal competition authority, Bundeskartellamt. More discussions and exchanges are planned in the future by G7 policymakers, also to prepare for a digital competition summit in 2024, under Italy’s G7 presidency.

Competition

Scrap that verdict. According to the EU Court of Justice’s (CJEU) Advocate General Giovanni Pitruzzella, the EU top court’s ruling that sided with Ireland in its tax regime with Apple “should be set aside”. In the influential legal opinion, the court’s advisor argued that the case should be referred to the General Court for a new decision because the previous ruling committed several errors.

CMA gives Amazon a break. The British Competition and Markets Authority (CMA) accepted Amazon’s commitments addressing their concerns about the company’s third-party seller data usage and how they choose the products offered in the “buy box” or “featured offer” and how the delivery rated work for Prime orders.

Break it up already. In a new legal opinion, civil society initiative LobbyControl called for Amazon to be broken up to end its widespread market power, “which is harmful to democracy”, according to a post on Tuesday, following the GWB Amendment, strengthening German competition law, coming into force on Monday.

Don’t give in to pressure. In a letter sent to EU Commissioner for Justice and Competition Didier Reynders on Monday, BEUC, the European Consumer Organisation, expressed their concerns about “the intense political pressure” to “neutralise enforcement of the EU’s merger control rules in the name of boosting the competitiveness of European industry”.

Cybersecurity

Cyber resilience act not so resilient? In a letter coordinated by DIGITALEUROPE, the CEOs of Siemens, Ericsson, Bosch, Nokia, and other industry heavyweights called on EU policymakers to address several critical aspects of the Cyber Resilience Act, notably the creation of bottlenecks that could disrupt the single market in a “COVID-style blockage in European supply chains.” The top executives also worry about the volumes and safeguards for vulnerability reporting.

NATO wants to shape the cyber world. The first annual NATO Cyber Defence Conference took place at the German Federal Foreign Office on Thursday and Friday. The focus of the meeting was on strengthening the cyber defence of the North Atlantic Treaty Organisation at a political, military and technical level. In addition to NATO Secretary General Jens Stoltenberg and German Foreign Minister Annalena Baerbock, the invited guests included their counterparts from Luxembourg, the Netherlands, the United Kingdom, Albania, and Finland. NATO secretary general emphasised in particular that digital attacks can also trigger an alliance attack, “Cyber-attacks trigger Article VI.”

Data & Privacy

Frontex’s data protection breaches. The EU border agency Frontex is processing personal data of migrants in breach of EU law and its own mandate, according to a letter by the European Data Protection Supervisor (EDPS), seen by Euractiv. Frontex’s board adopted internal rules on processing personal data at the end of 2021. In June 2022, the EDPS issued two non-binding opinions asking Frontex to improve some provisions to comply with Frontex’s mandate and the EU data protection framework. Moreover, the EU watchdog already expressed concerns about Frontex’s modus operandi in processing data on more than one occasion, most recently in May 2023 when it published the results of a visit the EDPS made to Frontex headquarters in October 2022. Euractiv understands the EDPS might take Frontex to the EU Court of Justice over the alleged breaches of data protection law if no corrective measures are promptly implemented, but only as a last resort. Read more.

Up to €20,000 fine per small GDPR infringement in France. The French data privacy watchdog, the CNIL, reported on Tuesday that it had issued 10 decisions under its 2022 simplified sanction procedure which allows the public administration to fine companies irrespective of EU or French data privacy laws. The 10 decisions amount to €97,000 and sanctioned notably infringements on geolocation and continuous video surveillance of employees,

More privacy professionals. This year’s report on privacy government by the International Association of Privacy Professionals shows that 33% of organizations’ privacy teams grew in the past year, “despite challenging economic conditions”. Out of the privacy professionals who participated in the survey, “86% reported regularly working with three or more teams within their organisation”, meaning that “the role of the privacy professional and privacy team has expanded and integrated” into organisations.

I understand you. The EDPS and the UK Information Commissioner’s Office (UK ICO) signed a “Memorandum of Understanding for Cooperation in the Application of Laws Protecting Personal Data”. Among other things, the document reaffirms that EDPS and ICO want “to deepen their existing relations and promote exchanges to assist each other in the application of laws protecting personal data” and sets out the principles of this cooperation.

EU, California, and privacy. Commissioner Didier Reynders met with Ashkan Soltani, executive director of the California Privacy Protection Agency, on Tuesday “to continue the exchange we had started during my visit in July”. Euractiv understands that, among the topics discussed, was also the upcoming Digital Advertising Act.

Digital diplomacy

Breton in China. On Friday, Commissioner Thierry Breton is set to be in Beijing, China, to meet Vice-Premier Zhang Guoqing, Minister of Commerce Wang Wentao, and Minister of Industry and Technology Jin Zhuanglong. They will discuss digital files related to technology and industry, as well as the EU’s de-risking agenda to protect its strategic interests. Breton is set to advocate for fair treatment of EU companies in the country. He will meet with the CEO of Alibaba International Digital Commerce Group Jiang Fan as well, to discuss platform regulations and e-commerce. Breton’s trip could also be a chance to discuss the issues raised at the EU-China High-Level Digital Dialogue in September.

Digital Markets Act

Should iMessage a CPS? Google and the largest EU telecommunications operators called on the European Commission to designate Apple’s iMessage under the Digital Markets Act, which would oblige it to grant interoperability with other messaging services, in a letter seen by Euractiv. The signatories of the letter, dated 3 November and addressed to Internal Market Commissioner Thierry Breton, are senior executives from Google, Orange, Deutsche Telekom, Telefónica, Vodafone, Element, and Wire. However, the letter was not co-signed by Meta, which has two messaging apps falling under the scope of the DMA: Messenger and WhatsApp. The iMessage’s designation is currently under investigation of the Commission, but since the EU executive has scarce resources this initiative should be seen as an attempt to put the matter on its priority list. Read more.

Morton Scott on Google competition. The Commission has taken the first step in “enabling competition” to Google Android and Google Play Services, US economist Fiona Scott Morton wrote in an article for Bruegel on Wednesday. “By keeping important Google Android functionality within the proprietary Google Play Services and omitting it from the open-source license, Google has been able to leverage access to its monopoly operating system” and “lessens competition for its services”, Morton Scott wrote. In July, she withdrew herself from consideration for the job of chief economist at the EU Commission’s Directorate-General for Competition, after controversy over her non-European nationality and possible conflicts of interest.

Digital Services Act

AliExpress, what’s up? On Monday the EU Commission sent a formal request to AliExpress to provide more information on the measures it has taken to protect consumers online, under the DSA. “The Digital Services Act is not just about hate speech, disinformation and cyberbullying. It is also there to ensure removal of illegal or unsafe products sold in the EU via e-commerce platforms, including the growing number of fake and potentially life-threatening medicines and pharmaceuticals sold online,” Thierry Breton, EU Internal Market Commissioner, commented. AliExpress has until 27 November to provide all pieces of information requested.

TikTok and YouTube under investigation. The European Commission is also planning an investigation about what measures TikTok and YouTube have taken to protect minors, especially their “mental and physical health”, under the Digital Services Act (DSA), it was announced on Thursday. The requests for the platforms to provide information have been formally sent out, according to the Commission, and the two sites have until 30 November to provide them. In August, Commissioner Thierry Breton said that child protection would be a priority of the DSA.

eGovernance

eIDs closed. The European Digital Identity Framework (eIDs) was finally closed at a trilogue on Wednesday, after the text was largely agreed at the technical level. The Parliament’s ITRE Committee will endorse the agreement on 28 November.

Gig economy

A ‘provocation’. The trilogue on the Platform Workers Directive did not mark any breakthrough on the thorniest legal presumption chapter, which determines the mechanism through which self-employed platform workers could be reclassified as employees. A Council ‘non-paper’, shared on Wednesday and seen by Euractiv, showed how little member states were willing and able to move on these provisions – with one MEP calling it a “provocation” – but several people present in the room also confirmed negotiations had been run in “good spirits, looking for a compromise”. Euractiv understands both Council and Parliament have now agreed to share new documents to best outline their red lines and potential landing zones.

Industrial strategy

European and American clouds. EU policymakers should have the “courage and fair-mindedness” to pursue a sovereign cloud and regulate American cloud providers under the EU antitrust law on digital markets, Michel Paulin, CEO of France’s largest cloud services provider OVHcloud, told Euractiv in an interview. The CEO slammed the Commission for ‘lack of courage’ for failing to designate US hyperscalers under the DMA and expressed hopes for a Schrems III. Read more.

Law enforcement

Phantom list. After the Irish Council for Civil Liberties (ICCL) filed complaints to the European Ombudsman against the European Commission, the EU watchdog has found a case of maladministration in the Commission’s refusal to provide the list of experts, which it first denied existing, with whom they worked together in drafting the regulation to detect and remove online child sexual abuse material (CSAM). The list of experts was of public interest because independent experts have stated on several occasions that detecting CSAM in private communications without violating encryption would be impossible. In the meantime, MEP Patrick Breyer published the list. Read more.

French strategy to fight child harassment goes digital. French Digital Minister Jean-Noël Barrot stated on Thursday that minors will have better access to the NGO e-Enfance, whose aim is to allow minors to surf the internet securely. On top of their application and a hotline providing support and assistance to young victims or witnesses of digital harassment, children will not be able to contact the NGO through their Instagram or Messenger applications, said Barrot. TikTok, the most used application by children and adolescents, is notably not referenced.

Platforms

Agreement on political advertising. EU co-legislators reached a deal on transparency and targeting of political advertising on Monday evening. According to the text seen by Euractiv, targeting ad-delivery techniques involving the processing of personal data is not permitted in the case of communications of political parties and non-profit bodies, for instance, in newsletters linked to political activities. MEPs introduced establishing the public repository for all online political advertising in the EU, or those directed at EU citizens, which will be managed by a Management Authority established by the European Commission. Read more.

Court says no to Austria. The EU’s top court ruled on Thursday that Big Tech companies are not subject to reporting systems for illegal content or reporting obligations imposed by EU member states that go beyond their own jurisdiction. With the win, the tech giants bypassed the Austrian decision to delete hate speech or be fined up to 10 million euros. The verdict might be highly consequential for France’s upcoming digital bill. Read more.

Meta to ban AI-generated political ads. A Meta spokesperson said on Monday that they will deny political campaigns and advertisers from using the company’s AI products for political advertising purposes. Starting next year, advertisers will have to let Meta know if they used AI for the ads and the policy will apply globally.

EU and TikTok. EU Digital Chief Thierry Breton told TikTok’s CEO Shou Zi Chew during a call on Monday that the platform should “spare no effort to protect our citizens against illegal content and disinformation” under the Digital Services The TikTok CEO also met Vice President Vera Jourova and Justice Commissioner Didier Reynders. Reynders emphasised the protection of minors on platforms, including the safe processing of personal data and transparency on commercial practices. The fight against hate speech online and compliance with the DSA was also discussed.

Is this valid? La Quadrature du Net, Access Now, ARTICLE 19, the European Center for Not-for-Profit Law, European Digital Rights, and Wikimedia France filed a complaint before Conseil d’État on Thursday against the French decree implementing the EU regulation on the dissemination of online terrorist content (TERREG). The coalition requests a preliminary ruling from the EU Court of Justice “on the validity of the TERREG”.

Telecom

Delete tacit approval. The controversial ‘tacit approval principle’ meant to speed up the roll-out of new broadband networks has been deleted from a new compromise text on the Gigabit Infrastructure Act, circulated by the Spanish presidency on Wednesday and seen by Euractiv. This deletion does not come as a shock since many EU countries saw the measure as problematic due to the specificity of their public administration. The new text will be discussed at the technical level on 14 November. The Council’s position is expected to be endorsed at the political level by competent ministers during the Transport, Telecommunications and Energy Council on 5 December. Read more.

Keep it a success. BEUC and the European Competitive Telecommunications Association shared their concerns in a joint statement, published on Thursday on the discussions about the future framework of the European telecommunications sector. While they think the telecoms regulation was a “success story”, they fear that the goals of a ‘Digital Networks Act’ would “run contrary to the achievements of the past decades”.

I need fibre, fibre, fibre is what I need. French telecommunications operator Orange and the French government signed a deal to push fibre roll-out. Digital Minister Jean-Noël Barrot said in an interview with Le Figaro on Monday that the deal will “reignite fibre deployment”, coherently with President Emmanuel Macron’s promise to “ensure fibre access for every French national by 2025”. If effective, France would attain the EU Digital Targets on fibre rollout five years in advance. According to September’s Digital Decade first report, France had 73 % of fibre coverage nationwide by the end of 2022, which the Commission called a “particularly good overall coverage”.

What else we’re reading this week:

Airbnb to Debut ‘Guest Favorite’ Listings, AI Tools in Reliability Push (Bloomberg)

Meta and Amazon team up on new in-app shopping feature on Facebook & Instagram (TechCrunch)

Stop suggesting children as friends, social media firms told (BBC)

Théophane Hartmann contributed to the reporting.

[Edited by Zoran Radosavljevic]

Read more with EURACTIV